It's Monday, and infosec-watchers are showing their age by calling internet of things security disclosures “a broken record”. This time, it's a home security system that's remotely p0wnable.
iSmartAlarm ships a variety of app-linked security products, including door sensors, motion sensors, cameras, locks, and a controller unit (called the Cube), with iOS and Android apps, Alexa capabilities … pretty much the full suite of ShinyHappySmartLife™ must-haves.
Now, it's time to get out your bingo cards, because the list of vulnerabilities includes issues with SSL certificate validation, authentication errors, an access control blunder, and a denial of service.
The vulnerabilities were turned up by Ilia Shnaidman of Bullguard Security, which makes a gizmo called Dojo that monitors Wi-Fi networks for threats to IoT devices. Shnaidman requested CVE ID numbers for the bugs, with one request rejected as being in error.
So let's stick with the vulnerabilities that got CVE allocations, the discovery of which is detailed here.
The SSL certificate validation bug is in the CubeOne that handles communications between the iSmartAlarm-protected home and the smartphone app.
During the SSL handshake with its server, the CubeOne doesn't check the server certificate's validity, so Shnaidman only needed to forge a self-signed cert to get control over CubeOne-to-server traffic.
An error in how the system handles its XXTEA (corrected block Tiny Encryption Algorithm) keys allowed the researcher to create and use a valid encryption key, leading to the access control and authentication bypass bugs.
Shnaidman says he went public after the vendor didn't reply to his disclosure (we have contacted the company for confirmation).
At the time of writing, The Register couldn't find an iSmartAlarm firmware update more recent than March 2017. ®